Advent of Configuration Extraction – Part 3: Mapping GOT/PLT and Disassembling the SNOWLIGHT Loader

**SNOWLIGHT** is a compact ELF downloader used to fetch and execute remote payloads in memory; this analysis documents how to extract its C2 address and port by parsing .rodata and reconstructing GOT/PLT mappings with LIEF and disassembling main with Capstone, noting its use of memfd_create/fexecve, XOR decoding (0x99), and reported association with UNC5174/VShell intrusion activity.